Make wal_compression PGC_SUSET rather than PGC_USERSET.

When enabling wal_compression, there is a risk to leak data similarly to the BREACH and CRIME attacks on SSL where the compression ratio of a full page image gives a hint of what is the existing data of this page. This vulnerability is quite cumbersome to exploit in practice, but doable. So this patch makes wal_compression PGC_SUSET in order to prevent non-superusers from enabling it and exploiting the vulnerability while DBA thinks the risk very seriously and disables it in postgresql.conf. Back-patch to 9.5 where wal_compression was introduced.
11 years ago · 19a6545815
parent 1a0959b388
commit 19a6545815
2 changed files with 2 additions and 1 deletions
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -2303,6 +2303,7 @@ include_dir 'conf.d'
        <xref linkend="guc-full-page-writes"> is on or during a base backup.
        A compressed page image will be decompressed during WAL replay.
        The default value is <literal>off</>.
+        Only superusers can change this setting.
       </para>

       <para>
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@ -995,7 +995,7 @@ static struct config_bool ConfigureNamesBool[] =
 	},

 	{
-		{"wal_compression", PGC_USERSET, WAL_SETTINGS,
+		{"wal_compression", PGC_SUSET, WAL_SETTINGS,
 			gettext_noop("Compresses full-page writes written in WAL file."),
 			NULL
 		},